New scanning tool?

["Portnoy, Gary" <gportnoy () BELENOSINC COM>]

Hey there,

In the last two days I noticed a peculiar scan with a signature i had not
encoutered before.  This scan seems to be a combination SNMP/NBT scan.
Strange combination, I know.  Maybe somebody knows what it is.  First thing
is a ping sweep, and at the same time a UDP packet to port 161 to all the
addresses.  Now, the machines that respond to the ping, get a subsequent UDP
packet to port 137.  The SNMP packet is resent 2 more times every 5 seconds
in the first instance I encountered.  The SNMP packet is resent 6 times in
the second scan with this pattern: 2 second pause, 4 second pause, 2 second
pause, 4 second pause, etc.   Unfortunately SNORT didn't capture anything, I
wish portscan plugin  could log packets to a file, so I don't know what the
SNMP string was, or what was the payload in the NBT packet...

Ideas?

-Gary-

Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C